From: Ping-Ke Shih Date: Tue, 25 Mar 2025 02:54:24 +0000 (+0800) Subject: wifi: rtw89: fw: cast mfw_hdr pointer from address of zeroth byte of firmware->data X-Git-Tag: v6.16-rc1~132^2~46^2~7^2~86 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bc1265b5c982fc73077812a8be727ba3d734164b;p=thirdparty%2Fkernel%2Fstable.git wifi: rtw89: fw: cast mfw_hdr pointer from address of zeroth byte of firmware->data The firmware->size is validated before using firmware->data, but Coverity still reports: Downcasting "firmware->data" from "u8 const *" to "struct rtw89_mfw_hdr" implies that the data that this pointer points to is tainted." Using &firmware->data[0] to avoid the warning. No change logic at all. Addresses-Coverity-ID: 1494046 ("Untrusted loop bound") Addresses-Coverity-ID: 1544385 ("Untrusted array index read") Signed-off-by: Ping-Ke Shih Link: https://patch.msgid.link/20250325025424.14079-1-pkshih@realtek.com --- diff --git a/drivers/net/wireless/realtek/rtw89/fw.c b/drivers/net/wireless/realtek/rtw89/fw.c index c7172334f895d..16499fce94ccd 100644 --- a/drivers/net/wireless/realtek/rtw89/fw.c +++ b/drivers/net/wireless/realtek/rtw89/fw.c @@ -554,7 +554,7 @@ const struct rtw89_mfw_hdr *rtw89_mfw_get_hdr_ptr(struct rtw89_dev *rtwdev, if (sizeof(*mfw_hdr) > firmware->size) return NULL; - mfw_hdr = (const struct rtw89_mfw_hdr *)firmware->data; + mfw_hdr = (const struct rtw89_mfw_hdr *)&firmware->data[0]; if (mfw_hdr->sig != RTW89_MFW_SIG) return NULL;